Malware analysis environment for 64 bit Windows Mauritius 2016 FIRST TC Hiroshi Suzuki Internet Initiative Japan Inc.
Who am I? • Hiroshi Suzuki, from “Internet Initiative Japan Inc.” that is short for “IIJ”. – IIJ is a Japanese ISP (We are the first commercial ISP in Japan). • I’m a member of a CSIRT team called “IIJ - SECT”. – I’m a malware and forensics analyst for our customer and our company. – Our jobs include… • Malware Analysis • Forensic Investigation • Incident Response and Handling • Developing and operating honeypot and web crawler systems • Surveying malware and attacking technique trends • Hands-on Trainer, Speaker – Including Blackhat, FIRST, internal lecture for Japanese government and so on. • Writing reports for our quarterly report (called “IIR”) and blogs
What is malware analysis?
What is Malware Analysis? • It is to reveal malware behavior combining with the below methods. – Surface Analysis – Dynamic Analysis (Runtime analysis, Black box analysis) – Static Analysis (White box analysis, Reverse (Code) Engineering, Reversing… ) • Terms and definitions are not fixed. – Sometimes, surface analysis is included in static analysis. • There is public source analysis as well (in other words, googling ;-)).
What is Malware Analysis? • Each analysis is related. Surface Analysis Public Source Dynamic Analysis Analysis Static Analysis
Why do I focus on 64 bit windows?
Why I focus on 64 bit windows? • There are a lot of tools on 32 bit windows. – Many web sites and books introduce 32 bit tools. • But tools for 64 bit was different story until recently. – Now it’s turning for the better. – So it’s worth researching because of the period of transition from 32 bit to 64 bit. • And recent malware has both binaries. – Sometimes, you will need to analyze 64 bit malware if infected machine is 64 bit windows.
Surface analysis
Surface analysis tools Tool name 32 64 Description ○ ○ CFF Explorer PE Editor, Viewer ○ ○ PE Studio PE Viewer ○ ○ StudPE PE Editor, Viewer ○ ○ PE Insider PE Viewer ○ ○ pefile Python PE Editor, Viewer “64” means that it can handle pe32+.
Surface analysis tools
Surface analysis tools
Surface analysis tools
Dynamic analysis
Dynamic analysis tools • System monitoring tools Tool name 32 64 Description ○ ○ Sysinternals suite Procmon, Sysmon , Process explorer… ○ ○ Process Hacker Monitoring Process activities ○ ○ API Monitor Monitoring APIs ○ ○ Fakenet Internet Emulator / Packet capture ○ ○ Fakenet-ng Internet Emulator / Packet capture ○ ○ Wireshark Packet capture / analyzer ○ ○ regshot Monitoring Registry, File activities ○ × Capture-BAT Monitoring Registry, File activities
Dynamic analysis tools • Process Monitor (Procmon) – It can monitor: • Process Activities • File activities • Registry Activities • Network Activities
Dynamic analysis tools • Process Explorer – It is high functionality version of task manager. It can visualize: • Process tree • Handles • DLLs • Threads • TCP/IP • Strings – file/memory – And it has ability • To kill/suspend/ restart processes • To dump memory
Dynamic analysis tools • Process Hacker – It is similar to Process Explorer. In addition, this tool can also Read/Write on memory regions, and dump it. • It is useful when I analyze malware with process hollowing technique.
Dynamic analysis tools • API Monitor – It can monitor as well as pause by setting breakpoints over 2,000 APIs including COM related APIs.
Dynamic analysis tools • Fakenet-NG – Internet emulator • Maintained by FireEye (Flare team) • This software redirects communications from malware to this software and recording host names and/or IP addresses of C2 servers and its contents. • It has capturing packets feature as well.
Dynamic analysis tools • Debugger Tool name 32 64 Description ○ × OllyDbg Developing 64 bit, but it’s not released yet over two years. It’s very slow pace Immunity Debugger ○ × There is only internal version for 64bit? ○ ○ x64dbg New de-facto standard? ○ ○ IDA Pro Commercial Debugger / Disassembler Actually, 64 bit debugger is a wrapper of WinDbg. ○ ○ WinAppDbg Python Command line Debugger ○ ○ WinDbg Microsoft original debugger
Dynamic analysis tools • x64dbg – This debugger has a similar look and feel to OllyDbg. – This is frequently updated (on weekly or nearly on daily basis). – It is superior to OllyDbg that : • Can handle 64bit binaries. • Has a memory breakpoint on execution. • Has a decompiler. • Can display a graphical code flow feature.
Dynamic analysis tools • Debugger plugins Tool name 32 64 Description ○ × OllyDump PE Dumper for unpacking ○ ○ OllyDumpEx PE Dumper for unpacking ○ × StrongOD Hide OllyDbg ○ × HideDebugger Hide OllyDbg ○ ○ ScyllaHide Hide debugger ○ ○ TitanHide Hide debugger ○ ○ OllyMigrate Debugger Migration ○ ○ Labeless Debugger collaboration (IDA Pro and others) for labels and comments ○ ○ ret-sync Debugger collaboration (IDA Pro and others) for syncing EIP position
Dynamic analysis tools • OllyDumpEx – This is a kind of PE dumper based on OllyDump. – It is useful to unpack binaries for container (cryptor) type packers. – It is also useful for “turbo unpacking”. It can search PE image in memory regions, and Heap chunks. – It can handle many debuggers. • OllyDbg v1/v2 • Immunity Debugger • x64dbg • WinDbg • IDA Pro
Dynamic analysis tools • OllyMigrate – It can move a debugger to another without restarting a target process in the middle of debugging. – It is useful to deal with anti debugger. • E.g. After I deal with anti debugger using a debugger with anti-anti-debugger plugins, we can move it into another debugger like IDA Pro and continue to debug. – It can handle many debuggers. • OllyDbg v1/v2 • Immunity Debugger • x64dbg • WinDbg • IDA Pro
Dynamic analysis tools • ScyllaHide – It is an anti-anti debugger plugin. – It can handle several debuggers. • OllyDbg v1/v2 • x64Dbg • IDA Pro
Dynamic analysis tools • ret-sync – It is a tool for collaboration between IDA and other debuggers. • It synchronize IDA Disassemble view with a debugger’s EIP.
Dynamic analysis tools • Import Reconstruction Tools Tool name 32 64 Description ○ × Imprec - ○ ○ Scylla - • Patch Guard Disabler Tool name 32 64 Description ○ DisPG - For Windows 7 SP1 ○ meow - For Windows 8.1
Dynamic analysis tools • Scylla – It is IAT reconstructor. – It is based on ImpRec, but it can handle 64 bit binaries.
Static analysis
Static analysis tools • Disassembler Tool name 32 64 Description ○ ○ IDA Pro De facto standard disassembler • Disassembler Plugins Tool name 32 64 Description ○ × Findcrypt Find cryptographic algorithms ○ ○ IDA Sigsrch Find cryptographic algorithms ○ × CrowdDetox Code de-obfuscation ○ ○ ClassInformer Find C++ class ○ ○ BinDiff Binary Diffing ○ × Turbodiff Binary Diffing
Static analysis tools • IDA Pro – It is the one and only Disassembler in the world. • Of course I know, there are many disassemblers in the wild, but IDA Pro is head and shoulders above the others. • It can handle 64 bit binaries (IDA Pro commercial version only) – It is a wrapper for WinDbg. – It has a lot of abilities that: • It can display GUI-based code flow graph. • It has cross reference feature. • It can rename function, variable names. • It can reconstruct C structure, enumeration (ENUM) and function types. – IDA includes many predefined windows structures, enumerations and types by default. • It has script (IDC, python) feature to automate analysis and debugging tasks. • It has a decompiler plugin.
Static analysis tools • BinDiff – It is a Binary Diffing tool provided as a plugin for IDA Pro. • It was a commercial tool, but now it’s free. – It is a useful tool for analyzing variants. • Because it can compare the differences between variants as well as import/export comments and names. https://www.zynamics.com/bindiff.html
Conclusion • Newer tools and existing tools that are updated continuously can handle on 64 bit binaries. – Now you can analyze 64 bit malware on 64 bit environment. • But some tools, especially reverse engineering tools can’t handle on 64 bit binaries. – Sometimes, we might experience tough situation in reverse engineering task.
That’s it! Any questions? Twitter: @herosi_t
Recommend
More recommend
